Home
Legal · Privacy

Privacy Policy

Live

Effective 2026-05-08. This policy explains what Maven collects, why, how long we keep it, and the rights you have over it.

1. Who we are

Maven ("we", "us", "our") operates an AI-native technical hiring assessment platform. This Privacy Policy applies to candidates, employers, and admin users of the Maven web application and APIs.

2. What we collect

We collect three categories of data when you use Maven:

2.1 Account data

  • Email address and display name
  • Hashed password (we never store plaintext passwords)
  • Role: CANDIDATE, EMPLOYER, or ADMIN
  • Optional cohort tag (e.g. "STUDENT_BETA_2026Q2")
  • Timestamps of consent acceptance and email verification

2.2 Assessment data (candidates only)

  • Code — every keystroke and snapshot you write during a session
  • AI interactions — every prompt you send to the AI copilot and every response you receive
  • Behavioral signals — webcam-derived metrics (gaze direction, face presence, blink rate, head stability) when proctoring is enabled. The webcam frames themselves are processed in your browser and never sent to our servers; only derived numeric metrics are stored.
  • Session timeline — file opens, file edits, code runs, test runs, AI prompt/insert/skip events, tab switches
  • Submission — your final code, file map, and any debrief answers

2.3 Operational data

  • IP address (used only for rate-limiting)
  • Authentication logs (login, password resets, account deletions)
  • Service-side error logs (no body content captured)

3. What we do not collect

  • We do not record or transmit raw webcam video. Frames are analyzed in-browser and discarded.
  • We do not record audio.
  • We do not capture screen content outside the Maven workspace.
  • We do not run third-party advertising trackers.

4. Why we collect it (lawful basis)

  • Performance of contract — to operate the assessment and deliver results to the employer who invited you
  • Legitimate interest — to detect fraud (e.g. multiple faces in proctoring view) and improve the platform
  • Consent — for any use of anonymized assessment data in product research or model training. You may withdraw this consent at any time.

5. How we share it

  • Employers see the assessments they created and the submissions of candidates who responded to their invites — and only those. Tenant isolation prevents cross-employer access.
  • Maven admins (internal, non-customer-facing) can view all data for support, abuse investigation, and platform monitoring.
  • Service providers: we share data with the minimum necessary processors — Supabase (database hosting), Anthropic (AI copilot — your prompts and code are sent to Anthropic for inference), E2B (sandbox execution — your code runs inside an E2B container), Resend (transactional email), and Vercel (frontend hosting).
  • We never sell personal data to third parties.

6. How long we keep it

  • Account data: kept while your account is active. Deleted on account deletion.
  • Submission data: kept for 24 months after submission unless the employer extends retention contractually. After that, it is anonymized or deleted.
  • Audit logs: kept for 12 months for security and compliance.
  • Anonymized aggregate data: may be retained indefinitely (cannot be linked back to you).

7. Your rights

You have the right to:

  • Access — request a copy of your data. Email privacy@maven.dev.
  • Delete — candidates can delete their account and all associated submissions from the candidate profile page (GDPR/CCPA right to erasure).
  • Anonymize — keep your submissions for the employer who invited you, but strip your identity. Use the "Anonymize my account" option in your profile.
  • Withdraw consent — opt out of having your data used for product research / model training. We will exclude your data from future training datasets within 30 days.
  • Object — to specific processing activities. Email privacy@maven.dev.

8. Beta cohort participants

If your account has a non-null cohort tag (e.g. you signed up via a university beta link), you are participating in a closed pilot. By accepting these terms you agree that anonymized data from your sessions may be used to evaluate and improve the platform's scoring models. You may withdraw at any time using the anonymize option above; from that point forward, your future sessions are excluded from research datasets.

9. Security

  • Passwords are hashed with bcrypt (cost factor 10).
  • JWTs are signed with a 32-byte random secret and expire in 7 days.
  • All traffic uses HTTPS / TLS 1.2+.
  • Database access is scoped per-employer at the API layer.
  • We perform regular dependency scans; critical CVEs are patched within 7 days.

10. International transfers

Maven's primary database is in ap-northeast-1 (Tokyo). Anthropic processes prompts in the US. E2B sandboxes run in US data centers. By using Maven you consent to these transfers under Standard Contractual Clauses where required.

11. Children

Maven is not intended for users under 16. If we learn we have collected data from a user under 16 without parental consent, we will delete it.

12. Changes to this policy

We bump the version of this policy whenever it changes materially. If you accepted an older version, we will re-prompt you for consent at next login.

13. Contact

Questions, requests, or complaints: privacy@maven.dev.